Dropbox's password nightmare highlights cloud risks

NEW YORK (CNNMoney) -- It's the security nightmare scenario: A website stuffed with sensitive documents leaves all of its customer data unprotected and exposed.

It happened this week to Dropbox, a cloud storage site used by 25 million customers to store documents, videos, photos and other files. For four hours on Sunday, a site glitch let visitors use any password to log in to customers' accounts.

Dropbox fessed up to the mistake in blog post on Monday. A code update gone awry introduced what the site delicately called an "authentication bug." The error was fixed five minutes after it was discovered, but for a four-hour stretch, the site's defenses were down.

"This should never have happened," Dropbox wrote in its blog.

But it did -- and as individuals and corporations move to storing sensitive information in online lockers, they could get burned.

"Any trust in the cloud is too much trust in the cloud -- it's as simple as that," says Dave Aitel, president and CEO of security firm Immunity Inc. "It's pretty much the standard among security professionals that you should put on the cloud only what you would be willing to give away."

Like many other consumer-focused cloud services, Dropbox essentially traded some security for ease of use. The company encrypts and decrypts data on its own servers -- which makes it easy for users to login with just a password, instead of a complex encryption key. But it also leaves a lot in Dropbox's hands.

"It's giving them all the keys to the castle," Aitel says. "When you're your own hosting provider, you're self-insured. But when you let someone else keep the encryption keys, it's like outsourcing or offshoring. You're giving up accountability."

It's a lesson that Lockheed Martin (LMT, Fortune 500) and other big firms learned earlier this year, when their SecurID tokens used to access sensitive corporate systems were compromised.

Back in March, RSA, a division of EMC Corp. (EMC, Fortune 500), disclosed that hackers had broken into its systems and made off with information about its SecurID products. Late last month, defense contractor Lockheed disclosed a "significant and tenacious" cyber attack on its IT systems.

RSA admitted that information obtained in the March hacking was used in the Lockheed Martin attack. RSA ended up offering to replace SecurID tokens for its customers, and a few including Bank of America (BAC, Fortune 500) and SAP (SAP) immediately accepted.

"The larger global picture is cost vs. security," Aitel says. "You make tradeoffs so it's cheaper month to month, but your chips are on the roulette wheel."

Meanwhile, Google (GOOG, Fortune 500) continues pushing the idea that all of our data should live online. The Chromebooks it launched this month do away with the hard drive entirely and rely entirely on GMail, Google Docs and other cloud services.

At the same time, a spate of high-profile security breaches are offering a daily reminder of the vulnerability of online information.

Sony (SNE) was subjected to major hacks in April and May, which affected several of its gaming systems and potentially compromising tens of millions of credit card numbers.

Last week, Citigroup (C, Fortune 500) revealed more details on a hack attack from last month, revealing that far more credit card accounts were accessed than originally reported: 360,000.

This week, hacking groups Lulz Security and Anonymous announced they have teamed up to target governments around the globe in what they're calling "Operation Anti-Security."

Aitel notes that hacking, security problems and data privacy concerns are nothing new. But he hopes the crop of recent high-profile issues will make users aware that the technology is fallible.

"This is certainly the way things have always been," Aitel says. "But people are coming to a global awareness about how things need to be."